Dr. C. Jordan Howell, an Assistant Professor in the Department of Criminology at the University of South Florida. Before his current appointment, Dr. Howell was an assistant professor in Intelligence and National Security Studies at the University of Texas at El Paso and Associate Director of the Evidence-Based Cybersecurity Research Laboratory. He received his doctorate in criminology from the USF, where he also earned a graduate certificate in digital forensics and a master’s degree in criminology.
Dr. Howell’s research focuses on the human factor of cybercrime. He employs advanced computer science techniques to gather threat intelligence, which is then used to test social scientific theory, build profiles of active cyber-offenders, plot criminal trajectories, and disrupt the illicit ecosystem enabling cybercrime incidents.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Dr. C. Jordan Howell, an assistant professor in the Department of Criminology at the University of South Florida (USF).
Dr. Howell discusses his journey into cybersecurity and the educational opportunities available at USF. He emphasizes the importance of a holistic approach to cybersecurity education, incorporating both technical and human factors.
Dr. Howell also highlights the research opportunities and extracurricular activities available to students at USF, such as the Sarasota Cybersecurity research lab and the Cyber Defense Club.
He advises students to be lifelong learners and stay updated on the fast-evolving cybersecurity landscape. Dr. Howell predicts that the cybersecurity industry will undergo a paradigm shift, with a greater emphasis on interdisciplinary education and a proactive approach to cybersecurity.
Listen to the episode
Here is a full transcript of the interview
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, our guest is Dr. C. Jordan Howell, an assistant professor in the Department of Criminology at the University of South Florida. We’re going to be discussing cybersecurity educational opportunities at USF. I’d like to tell you a little bit about our guest before we bring him in. Before his appointment as an assistant professor in the Department of Criminology at the University of South Florida, Dr. Howell was an assistant professor in intelligence and national security studies at the University of Texas at El Paso and associate director of the Evidence-Based Cybersecurity Research Laboratory.
He received his doctorate in criminology from USF where he also earned a graduate certificate in digital forensics and a master’s in criminology. Dr. Howell’s research focuses on the human factor of cybercrime. He employs advanced computer science techniques to gather threat intelligence, which is then used to test social scientific theory, build profiles of active cyber offenders, plot criminal trajectories, and disrupt the illicit ecosystem enabling cybercrime incidents. So, I’m very excited to welcome and have what I’m going to find an interesting conversation, I’m sure, with Dr. Howell. So, welcome, Dr. Howell. Thank you for joining me today.
Jordan Howell:
Yeah, it’s fantastic to be here, but no need for the titles. I prefer to go by Jordan.
Steve Bowcut:
Very good.
Jordan Howell:
It’s more conversative and I just prefer to be more down to Earth with the names.
Steve Bowcut:
Well, I appreciate that, Jordan, thank you for being with us. We really do appreciate your time. I know you’re a busy guy. I’ve spent a little time looking into your background and some of the things that you’ve got going on, so I feel really honored that we’ve got you to ourselves for a little bit here today. So, I appreciate that.
So, let’s help our audience understand how you got to where you are at. So, as students are thinking about getting into cybersecurity and that being their career choice, I think that they’ll find it interesting to know how that happened for you. So, how did you first become interested in cybersecurity?
Jordan Howell:
So, I had a weird journey, at least weird meaning non-traditional in comparison to some of my colleagues and other individuals I know in the field of cybersecurity. I’m 14, 15 years old, I’d just turned 15 and I get my first job, right? I’m working at a fast food restaurant. I’m saving up for a car. I’m really excited.
And I’m this vocal person. I’ve always been very extroverted. I like talking to people. So, they put me at the window. Right? I was the cashier, right? Because they wanted me to be the face, the person that individuals saw when they came in, because I’m smiling, I’m conversative. Customers liked me. They were repeat customers as a result of those interactions.
And I worked this cash register every day after school for a couple hours, right? Making $5.75. And it’s a local place, right? It’s not even franchise. It’s only in Tennessee, which is the state in which I grew up. And while working at this cash register, I found an exploit in the system that allowed you to essentially gain administrative privileges and void out orders that have already been taken after money has already been exchanged. So, an individual could pay for whatever they ordered at this restaurant and then after the fact you could make it look as if it never happened.
So, I’m thinking about this. I’m obsessed with it. Right? In between cars, in between orders, I’m sitting there and I’m writing out how this works and how it can be exploited. And I’m not a very smart kid, right? I go to this school in Appalachia, Tennessee, middle of nowhere. Right? It’s placed right in the middle of a cow field. When we would skip school, we actually had to run from the bulls and jump a couple fences.
But it’s just so obvious to me. I see it plain as day, and I write it out and I finally get this report that’s written on the back of a napkin at this restaurant. And I take it to the general manager, the guy who runs the whole operation, and I lay it out for him, “This is how an individual can gain access to the system. This is how these orders can be voided after the fact. And this is how an individual working in my position could steal a ton of money.” Right? I lay it out for him, right? And he’s like, “Okay. Okay.” He doesn’t really say much to me. I leave. I come back the next day and I’m no longer allowed to be the cashier. That was the response, right?
Steve Bowcut:
That’s how they fixed it.
Jordan Howell:
That’s how they fixed it. Right? They didn’t fix the issue. They simply moved me to another position. And when the assistant manager asked me why, I explained to her what I told the general manager. She was more interested in what I said. Now, I’ll explain that in a second. It’s a funny story.
But ultimately nothing happened. They moved me. I was really upset by it, to be honest, right? Because I thought about this. I took it to them and they pretty much gave me a middle finger. I quit. Right? I was upset. I accepted a job as a lifeguard, which was much better, right? Now, I’m no longer working at this fast food restaurant. I work as a lifeguard, essentially flirting with other people.
Steve Bowcut:
There you go.
Jordan Howell:
[inaudible 00:05:41] 15 years old, right? Because I was 15 or 16 at the time. A year later, I go back through and one of my buddies is still working there, and he says, “You’ll never believe what happened.” “What happened?” Right? He’s like, “The assistant manager, remember you told her how this system worked, right? She got caught stealing tens of thousands of dollars.” [inaudible 00:05:58].
Steve Bowcut:
Oh, no.
Jordan Howell:
And it’s funny because when I talked to the general manager, I explained how the system worked and how someone would get caught, but I didn’t explain this to her, right? I just explained the overall exploit, and she essentially butchered the entire thing, got caught, fired.
Steve Bowcut:
Wow.
Jordan Howell:
It was a good feeling, right? Because I knew it could happen, I explained it, and as a result of them not listening to me, they essentially lost tens of thousands of dollars over the course of the next year.
So, it was interesting. At the time I thought I wanted to do something in FBI, CIA type work. I’ve realized since then, that’s not what I want to do. I’m not interested in getting people arrested. I’m not interested in investigations anymore. But at the time, that’s what I thought I wanted to do. So, I started pursuing a degree in criminal justice, criminology, which led to the PhD that you spoke about.
But while in the PhD program, I realized I really wasn’t learning the skills to do what I wanted to do. If you ask, “By a show of hands, who here,” in a criminology class, “wants to be CIA, FBI?” Everyone’s hand shoots up, 99% of the class.
Steve Bowcut:
Right.
Jordan Howell:
But the professors simply aren’t equipped to teach the skills these students need to land the jobs in the FBI, the CIA. They want people to understand numbers, computers, technology. And I soon realized that and I realized I needed to get an additional skillset that made me relevant, both in academia but in practice as well. So, that’s when I dual-enrolled in the digital forensics program, and it was a really great experience. I learned how to essentially systematically extract information that could be used for investigative purposes. But again, I realized early on I didn’t want to be an investigator. I didn’t want to work in the criminal justice system.
So, I started thinking on how I could use forensic type techniques to advance my research agenda and advance cybersecurity as a whole, right? At a higher level, right? We’re not investigating one individual, we’re finding ways to systematically extract data to understand the threat landscape. And while I’m finishing up that program, I get a call from David Maimon, one of my supervisors at Georgia State University, and he says, “Jordan, I just accepted a job at GSU and we’re building out this lab, the Evidence-Based Cybersecurity Research Group. Do you want to come down and be my postdoc?” I said, “Well, that sounds fantastic.” But I had just started the PhD program, right? And by definition, a postdoc means post-doctoral degree.
Steve Bowcut:
Yeah, exactly.
Jordan Howell:
So, I explained that and they’re like, “You know what? It’s fine. Come on down. We’ll make it work.” Right? So, it was an interesting experience because while I was enrolled in the PhD program at USF, I was actually at Georgia State helping develop the Evidence-Based Cybersecurity Group, which is becoming a center this year. They’ve done a fantastic job. While there, we generated millions of dollars, created tons of partners both in government and the private sector as well. And that really got me more involved in the more hands-on data analytics, computer science side of cybersecurity.
So, I was there for two years. Graduated at USF and went over to the University of Texas at El Paso, as you mentioned in the introduction, where I was an assistant professor in intelligence and national security studies. And that’s where I got more interested in understanding how we could extract information using intelligence gathering techniques to improve upon the security posture of organizations, government entities, et cetera.
It was a successful endeavor. We worked with, again, people from across sectors, the financial sector, governments, even the medical sector as well. And that essentially led me to be recruited to come back to USF, to build upon our cybercrime, cybersecurity infrastructure. And when I got here, I still realized I was at a bit of a deficit, right? Because cybersecurity, to be real, to be robust, it needs to be holistic. Right? You can’t have one set of skills. You need to understand both the human and the tech dimensions, but those encompass lots of different areas that often fall through the cracks.
So, once I got here, I started up Sarasota Cybersecurity. It’s an interdisciplinary research lab that has members from all over the globe with various academic backgrounds, some people in criminology, some in the College of Business, computer science, et cetera. And that allows us to exchange thoughts, foster ideas, and really provide that holistic training to our student body. But to ensure that I had the skills to continue teaching my students and being a real mentor, I immediately enrolled in a cybersecurity program here at USF as well. I’m doing another master’s degree. I’m finishing next semester. So, I’m excited for that.
Steve Bowcut:
Good. Cool.
Jordan Howell:
And along the way, picked up several graduate certificates, strategic intelligence, cyber intelligence, et cetera. So, my path’s been interesting in that I’ve moved around a lot. I’ve drawn from several different disciplines, really in an attempt to create something that’s no longer academic in nature. Right? Everyone draws these lines, “Cybersecurity is this. Cybersecurity is that.” Right? But when those lines are drawn, they’re purely academic.
So, for us, for me, it’s all about drawing from these different disciplines, working with the financial sector, working with our industry partners to ensure we’re offering something real, that has meaning and can advance cybersecurity as both an academic discipline and a practice as well.
Steve Bowcut:
Wow, that’s fascinating. Thank you so much. I appreciate that. And I agree it’s been an atypical journey for you to get to where you’re at, but I think that probably adds to what you have to offer your students and the cybersecurity industry, if you will, as a whole. So, thank you. I appreciate that.
So, let’s focus on USF here and talk about what are the programs available there? So, undergraduate, postgraduate, what’s available at USF?
Jordan Howell:
Yeah, absolutely. So, USF is a top 50 institute in the US. It has been for the past five years, and we offer several cybersecurity or cybersecurity adjacent programs. I’m not sure if that’s a term that’s been coined, but maybe it can be now.
Steve Bowcut:
It should be.
Jordan Howell:
It should be, right? Here’s an issue I have with academia, and it’s going to explain why I’m answering the way I’m answering. Academia is inherently subdisciplinary, right? So, you have these different colleges, and within the colleges you have different departments and everyone has to stake their domain. Right? They claim their territory because they want the revenue. Right? They receive money every time a student is enrolled in that department, in that college.
So, what’s happened at USF is you’ve seen a lot of programs develop across colleges that are all fantastic, but they’re only one piece of the puzzle. So, engineering has a cybersecurity program and it’s fantastic, but unfortunately it loses, or fails to include is probably a better word, the business aspect or the human aspect, the forensic aspect. Whereas conversely, in the College of Behavioral and Community Sciences, which is where I’m currently at, we’re developing out a cybercrime major.
And what we’re doing is we’re ensuring that we incorporate elements from across these disciplines to provide a more holistic lens. So, it won’t be purely engineering, purely behavioral and community sciences, purely business, but we want to incorporate elements from each of these programs to offer a more holistic cybersecurity solution that merges or bridges these subdisciplinary divides.
One program that I think has done that extremely well is there’s a master’s in cybercrime at USF. It’s a fully online program, and it’s actually where I completed the graduate certificate in digital forensics. And they hire professors with real industry experience, and they teach you the inner workings of computer systems while simultaneously ensuring that you understand the data collection process. So, their ability to teach you how to be a forensic investigator is absolutely unparalleled.
And the College of Business, they have programs as well. They’re more business focused. And as of right now, at least at USF, I’m only speaking to USF, that’s really important. These programs, at least in the College of Business, still need to be developed because while cybercrime, cybersecurity is this emergent issue and everyone wants a piece of the pie, right now, they’re more information systems, old school, they lack the cybersecurity skillset to advance the program and college the way that needs to be done. But I know they’re working to do that.
And soon, I think, the College of Business at USF and in general can really be the epicenter for cybersecurity excellence because they really are the most well-positioned, in my opinion, to bridge that technical and human aspect. Because if you’re in information systems, you have some of the tech skills that you’re learning in engineering and computer science, while simultaneously you’re still understanding decision-making, at least in the context of end user security and the business framework, right? Why businesses do what they do to ensure they maximize profit, minimize risks, et cetera.
Steve Bowcut:
Okay. So, there’s avenues whether a student’s interest is in more technical engineering or if it’s more business related or if it’s criminology related, there’s avenues. Are there actual degrees in each one of those schools or are there just an emphasis in your business degree kind of a thing?
Jordan Howell:
No. Yeah, there are degrees in each, right?
Steve Bowcut:
There’s cybersecurity degrees in each. Okay, good.
Jordan Howell:
Exactly. All with strange titles, right? Because no one can be something specific. So, in criminology, for example, it’s a master’s in cybercrime. We’re developing a bachelor’s in cybercrime.
Steve Bowcut:
Okay.
Jordan Howell:
In the College of Business, it’s cybersecurity assurance and management or something along those lines. And then arts and sciences, they have a really good program, I should have mentioned early on. It’s a master’s degree and it’s actually cybersecurity intelligence and information systems, and they do a really good job at bridging some of these subdisciplinary frameworks as well.
Steve Bowcut:
Interesting. All right. So, let’s pull back our focus a little bit. And a student that decides that USF is the place that they want to get their cybersecurity education, what are some extracurricular things that they could expect, events, clubs, organizations, those kinds of things?
Jordan Howell:
So, we’re building out, right now actually, we’re in the process of building out a student organization. We’re still playing with the names, but we like Cyber Defense Club. So, by next year, if someone enrolls, we should be fully up and running. We have a student board already assembled. We’re already in the process of filing all the paperwork. I’m going to be the factory … Not the factory, the faculty advisor.
It’s going to be a fantastic organization in which we bring in experts from academia and industry to provide lectures, provide information while simultaneously ensuring we get hands-on experience and learn how to extract evidence using digital forensics or how to gather intel using OSINT tools. So, that’ll be a fantastic opportunity once it’s in place, which again will be by next year at the very latest.
And then we have Sarasota Cybersecurity, the research lab that I founded and am the current director of. And that’s a very student-centric laboratory that brings students from across disciplines and allows them to get hands-on research experience and work with industry professionals to ensure they’re learning what they need to learn, which maybe they don’t in their discipline, right? Maybe they’re in one college who doesn’t offer one specific skillset. So, if they join the lab, they’re essentially able to balance out that degree program and ensure they have a more comprehensive understanding.
Steve Bowcut:
Okay. And so, undergraduate students are invited to participate in research opportunities as well?
Jordan Howell:
Oh, absolutely. Invited, encouraged. I like working with undergrads the best, to be honest. They bring forth a fresh mindset, perspective and energy that I think fosters energy in the rest of us, right?
Steve Bowcut:
Right.
Jordan Howell:
When you have undergrads in the lab and they’re eager, it provides me an ability to mentor and it gets me excited about what I’m doing because I see how excited they are and the potential that they have. So, I have several undergraduates, even some being as young as 18 years old who are key members of the lab, and I couldn’t do what we do without them.
Steve Bowcut:
Excellent. Okay. So, I think you’ve already demonstrated for our audience that your program is pretty unique, but is there any other characteristics or aspects that you’d like to point out that makes your program or programs at USF unique as compared to other educational opportunities that students may have?
Jordan Howell:
Yeah, I think the creation of Sarasota Cybersecurity is really what makes us unique because we have professors from across these different degree programs and they all bring something to the table, something very important. I hope I didn’t undersell that before. It’s just you need more than one important skillset if you want to be a leader in this field, because this field requires an understanding of so many different tools, techniques, and strategies. Having a singular degree in which you focus on only one of those disallows you to understand the threat landscape and predict and prevent the occurrence of future cybercrime incidents.
So, with Sarasota Cybersecurity, we have individuals from each of these degree programs who come together, work together on various projects, grant applications, proposals, and then students in these programs are invited to participate. So, they’re able to not only graduate with a degree from a top tier university, but they’re able to work closely with faculty, which leads to a better networking mentorship experience, but also it allows them to balance out their skill sets because maybe there’s someone from engineering who’s extremely technical and very skilled in what they do. But then there’s also someone from the cybercrime program who has this nuanced insight into threat actors’ behavior that the engineer may not have been exposed to.
So, when they work together on a project with guidance from faculty from across departments, it allows them to think more critically about what it is they do, and ultimately improve upon what they’re learning in the classroom and apply it in real life, which in my opinion, is the key to success in cybersecurity and quite frankly, life more generally.
Steve Bowcut:
Yeah. Excellent. Thank you. I appreciate that. That’s exactly where I wanted to go with my next question. I’d like to uncover, and I think you’ve already done a great job of demonstrating this as well, but the kinds of things that you’re doing to prepare students for real world cybersecurity challenges.
So, the research they’re doing, I’m sure that that translates into building the curriculum that they’re taught in the classroom. In addition to participating in the research, you’ve mentioned some business partnerships. Are there some things that you do along those lines to bring in what’s happening in the industry into the classroom?
Jordan Howell:
Yeah, that’s exactly right. So again, this is going to sound like I’m just disenchanted with academia, and that’s not the case. I just think we need to continuously improve upon what we’re offering to ensure students get the best experience possible. I’m an academic, right? So, by definition have to love it or pretend when I’m on podcast.
Steve Bowcut:
Right.
Jordan Howell:
Academia is great at understanding past events, right? That’s what academia was built for. It’s about understanding something that’s already occurred and allowing individuals to think more critically about the world around them. The issue with cybersecurity, at least from an academic standpoint, is cybersecurity is fast evolving. We can’t sit and theorize for years on why something happened in the 1930s, like academics can in other disciplines. That’s really important. That’s a skillset, right? But it’s not what we need in cybersecurity. We need people who are continually evolving their skills, working with industry to provide more evidence-based practices.
So, the way I approach academia is very business oriented. We go straight to our industry partners, leaders in the field, and we ask them, “What do you need? What are the issues you’re experiencing?” And we find they’re very receptive to that because it’s not a common approach. Oftentimes, our partners in industry will tell me, and all of my colleagues have the exact same experience, or at least those who’ve worked with people in the industry, they’ll say, “Listen, we hire someone straight out of school. And sure, they’re extremely bright, but we have to spend the next six months training them because they’re not learning what it is we need them to learn.”
Because you think about academia, computer science is a really good example. They’re particularly bad at this. You’ll have individuals that are professors in computer science, engineering, et cetera. They received their PhD 20, 30 years ago, right? And they haven’t updated their knowledge base to keep pace with industry standards. So, they’re teaching students today what was important 20 years ago. They graduate and the industry is saying, “Hey, that’s great. You’re bright. You understand the foundations, the basics.” So, I’m not in any way saying those degree programs aren’t worth pursuing, they are. They need to be updated, right?
And that’s exactly what it is we try to do in the classroom. We make sure that they understand these foundations, but we also want them to be equipped with what industry needs when they graduate, because ultimately that’s what’s going to lead them to get these careers, have a competitive advantage and be successful, because they’re able to hit the ground running.
Steve Bowcut:
Interesting. So, cybersecurity is becoming like any other discipline, I guess, is becoming more and more automated, more and more sophisticated tools. So, does what you just described, does that filter all the way down to the kinds of tools that they want students to be able to use?
So, when you graduate from USF with let’s say an undergraduate degree and you’re getting an entry level position in a cybersecurity organization or a department of a larger organization, are there specific tools that they’re telling you that students need to know how to use? Or, is it just the foundations and we’ll teach them the tools that we use?
Jordan Howell:
A little bit of both, right? So, one of the issues I should have elaborated a bit further is the landscape is always changing, right? In the 1990s, there was a famous book in which an academic was predicting the future of cybercrime, right? And he said, “In 2020, the biggest crime is going to be fax machine fraud.”
Steve Bowcut:
There you go.
Jordan Howell:
That’s not the case. Right? So, individuals who finished their PhD at this time are still teaching outdated methods, practices, et cetera, thinking about and trying to apply knowledge to a threat landscape that no longer exists. So, while industry does require the use of certain tools, we don’t necessarily focus on that specific tool, because it’ll be updated, it may change, it varies industry to industry.
But it’s the foundations and the ability to understand the current threat landscape and the different types of tools and tactics that cyber criminals are using in order to combat them, to safeguard systems, depending on their job, to conduct successful investigations, if that’s their job, or to offer policy recommendations if that’s their career path. So, really it’s about ensuring that the knowledge and foundations they receive are up-to-date, current and applicable in the cybersecurity landscape to essentially offset the fast-evolving cybercrime landscape. I tend to really [inaudible 00:27:03].
Steve Bowcut:
Yeah. Exactly. Yeah. Oh yeah, fast evolving. That’s an understatement, right? Even those of us who are in the industry every day are just shocked sometimes at how fast things are evolving and how quickly the threats are mounting.
So, let’s try and put together some resources that students could use. So, if you were to build a cybersecurity reading list, and this could be books or papers or lectures or podcasts or YouTube channels or anything that you would direct students towards. And I’ll mention that we’ll put these in the show notes so students can, if there’s a link available, will just be able to click right to it. So, what would that cybersecurity reading list look like?
Jordan Howell:
Yeah. Well, let me start with podcasts because you mentioned that. My favorite cybersecurity podcast right now is Darknet Diaries, Jack Rhysider. I’m sure you’re familiar with it. It’s really famous now.
Steve Bowcut:
Yeah.
Jordan Howell:
I started listening to it before it was. He just does a fantastic job talking about cyber security related issues in an accessible way. Right? It’s entertaining while also ensuring that you learn something each episode because he brings on experts, but not the boring professor like me necessarily, right? But people who are experts because they went to prison for hacking the systems, right?
Steve Bowcut:
Oh, okay.
Jordan Howell:
Because they were the pen testers. And I find those really fascinating because it’s the real stories of cyber criminals and essentially the cybersecurity solutions used to prevent it moving forward.
The Mitre Attack Framework, right? That should be on everyone’s reading list, I think it provides a better understanding of the landscape. Two of my favorite books, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. It’s written by Kevin Poulsen, I believe.
Steve Bowcut:
I think that’s right.
Jordan Howell:
Fantastic book. It’s an audiobook, right? So, I listen to those on my morning run sometimes. And the next one, and this is going to be kind of cliche and I’m sure no one’s suggested this one yet, is The Art of War. I think everyone who pursues a career in cybersecurity should read that because it really underscores the importance of intelligence gathering when you’re building out any type of security posture. And we so often forget that in the field of cybersecurity, right? We want to build these impenetrable systems without taking the time to understand our enemy, right?
Steve Bowcut:
Mm-hmm.
Jordan Howell:
And that’s extremely problematic. So, I think that framework, the lessons taught there allow us to think more critically about the ways in which we develop a defense system against a fast-evolving adversary.
Steve Bowcut:
Okay. Any other resources you want to mention?
Jordan Howell:
Well, I have several, but I’ll stop there for now, otherwise, I’m going to go on rants and mention 65 different articles and authors. Right? I have a whole bookshelf full.
Steve Bowcut:
Okay. Well, we appreciate that. All right, so we’re about out of time, but I want to end with this kind of a fun question. And it’s where we ask you to dust off your crystal ball and look into the future. So, what would you say the cybersecurity industry landscape is going to look like in five years or 10 years? And obviously, the purpose of the question is, if I’m a student and I’m just beginning my cybersecurity career or my education, what should I be looking for in the future or maybe preparing for?
Jordan Howell:
Yeah. So, I just appeared on a different podcast and I was asked to give advice to people starting their careers in cybersecurity. And without thinking, I said something that I liked, right? Which is rare. So, I’m going to say it again here to anyone who’s listening. Is, if it’s being taught in the classroom, it’s probably outdated already. Right? So, we need to ensure we’re always learning new strategies, techniques, skills, et cetera. We have to be professional, lifelong learners in order to keep pace with this fast-evolving threat landscape.
So, that’s my advice to anyone entering the field. Right? Always do your own research. You should always be learning. You can’t rely on someone else to teach you everything because I have strengths, but I have limitations and weaknesses. And while someone else may be able to fill those voids, there’s no one that can do that better than the learner themselves, because they can identify their own weaknesses, issues, et cetera.
But I think the cybersecurity landscape is going to change quite a bit in the next few years, to be honest. Academics have a vested interest in keeping things the same, right? That’s why they draw these arbitrary lines. They’re like, “Oh, this is cybersecurity. Well, this is cybercrime. Well, this is cyber intelligence.” But anyone who draws a distinction between those three things doesn’t belong in the discipline at all, in my opinion, right?
All of these sub-areas of cybersecurity are actually the same thing, right? You have to have all of these different areas. You have to have the technology. You have to have the understanding of human behavior. You have to understand how to extract actionable intel in order to provide a more robust cybersecurity framework and actually create systems that are, I’m using air quotes, “impenetrable.” Right?
And when I talk to my industry partners and my friends who aren’t as academic as some of my colleagues, they want this paradigm shift, right? They want to see people getting these more holistic educational experiences so they can think about cybersecurity in a more comprehensive way. And we’re going to see that, right? What’s going to happen is individuals and organizations outside of academia will start developing this type of program, and institutions will have no choice but to keep up.
And soon we’ll have degree programs that are developing the way … We’re trying to develop, the one I’m currently leading, that offers skills and expertise and frameworks from across all of these subdisciplinary borders, because only when we work together can we actually provide something that’s meaningful. So, I think that’s how it’s really going to change, right? We’re going to realize that to be successful in cybersecurity, you truly do have to be a jack of all trades.
Steve Bowcut:
Yeah. I really like that because of course, the adversary that we’re facing is not constrained by subdisciplinary boundaries, right? And you referenced this earlier and it just really resonates with me. Understanding your adversary has got to be the primary objective, the tools they’re going to use, the attack methods, the threat vectors, all of those things, that’s important and you need to know that.
But you really need to know who these people are and why they’re doing what they’re doing. And that is very complicated and it’s complex because there’s different adversaries with different objectives and you need to understand what motivates them in order to anticipate what they’re going to do next as opposed to waiting to see what they did successfully and now try and find some way to stop it. So, I really appreciate that.
Jordan Howell:
Yeah, the reactive approach has to go, it needs to be replaced with a more proactive model. And I work closely with lots of individuals within the hacking community, active malicious hackers. And I asked one of my friends and colleagues, for the lack of a better word … I enjoy talking to these individuals, really, they’re so intelligent and thoughtful that chatting with him is always a very pleasant experience. Right?
And I just asked him straight up, “This is the approach academics have taken. This is the approach the cybersecurity industry and law enforcement agencies have taken so far. What is your opinion?” And he writes me a long email explaining how malicious hackers, he uses the term illegal hackers, will always be ahead of the game because they’re not bound by certain parameters, they work 24/7 and they essentially are allowed to be more innovative, creative. And that alone allows them to stay two steps ahead. And until we keep up with that mindset and maybe develop it ourselves, they’ll always be two steps ahead.
Steve Bowcut:
Exactly. We’re always playing catch up, and that’s a tough position to be in, always playing defense. All right, well we’re out of time, but thank you so much. Jordan, I really appreciate, this was fascinating. I’m sure our audience is going to find this very useful. I sincerely appreciate your time today.
And a big thanks to our listeners for being with us as well. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.